BACK

CREDIT

POC or EXPLOIT

REFERENCES

Summary

Since PHP 5.2.0 there is a new memory manager that allows exploiting of even one byte underflow vulnerabilities like the one described by this advisory.

When an all whitespace string is passed to the header() function this can result in a buffer underflow that allows code execution on atleast big endian systems like MacOS X on PPC.

Affected versions

Affected is PHP 5.2.0

Detailed information

PHP 5.2.0 comes with a brand new memory manager that is no longer a simple wrapper around malloc()/free() but implements a own heap implementation for the request memory pool. The new heap manager stores control information inbound and is therefore vulnerable to overflow attacks. Additionally it is unlike the previous memory manager vulnerable against one byte underflows.

When the header() function is called. It will first perform a whitespace trimming on the parameter. This is performed by the following code.

The code trims the trailing whitespace by moving backward through the header and overwriting NULL bytes over the end. Unfortunately the trimming does not work correctly on an all whitespace string, because the move backward does not stop at the beginning of the string. Therefore the trimming operation will write NULL bytes infront of the allocated buffer when the bytes before the buffer start contain ASCII characters belonging to the whitespace charset.

The new memory manager stores the size of the previous memory block infront of the buffer. On a little endian system it is therefore possible but unrealistic that the byte infront of the buffer contains a whitespace character. However on big endian systems like PPC it is possible for a remote attacker to create a heap layout that results in a whitespace character infront of the buffer. The trimming function will overwrite it with a NULL byte. The control information is therefore corrupted and a standard attack against the unlink from the linked list of free blocks is possible, which can result in remote code execution as demonstrated by the POC.

This shows the typical crash inside the linked freelist unlink. By using good offsets it is possible to execute arbitrary code. The demonstration exploit works locally and can therefore determine the needed offsets automatically through the substr_compare() information leak vulnerability. This looks like this.

This example shows a successfull code execution exploit that currently waits for someone to connect to port 4444.

Proof of concept, exploit or instructions to reproduce

The attached exploit demonstrates that the buffer underflow is exploitable and allows code execution on the demonstration platform MacOS X on PPC. Actually the exploit is identical to the MOPB-19-2007 exploit with just the exploited function exchanged and the output removed because otherwise header() will fail

The exploit uses the substr_compare() information leak vulnerability to determine what offsets to overwrite.

When successfull the attached exploit will spawn a shell on port 4444. Shellcode was borrowed from the Metasploit shellcode generator.

Notes

This vulnerability could theoretically be triggered from remote. Many PHP applications are still vulnerable to header() injection. However for a remote exploit to work this injection has to be at the start of the string (with a \0 byte truncation).

Another thing this exploit demonstrates is how whole exploits can be reused against similar vulnerabilities without real changes.